Conventional event management systems such as intrusion detection systems (IDS) identify actions to take in response to events such as the receipt of data packets at an access point of a network. For example, an IDS looks for events deemed malicious and, in response to such events, sends an alert to a network administrator.
Conventional event management systems characterize events received at access points of a network by parameter values which can include source and destination IP address values, source port number and timestamp. Such event management systems find events whose parameter values obey some predefined rules. An example of a predefined rule is, when three access requests are received at an access point of a network from the same source IP address within 60 seconds, an alert is sent to the network administrator.
Rules can be defined at a factory installation of a conventional event management system. Alternatively, rules can be custom defined by the network administrator.